ClamAV highload


#1

I am running ClamAV, however, somehow it makes high load on server. Without ClamAV, the load is less than 0.5. Now, it’s almost 4 all the time. I am also running ClamAV in other hosting Linux servers without this kind of high load. Any idea?

top - 23:00:50 up 1:42, 1 user, load average: 3.82, 3.82, 3.54
Tasks: 178 total, 5 running, 172 sleeping, 0 stopped, 1 zombie
%Cpu(s): 49.3 us, 1.1 sy, 0.0 ni, 49.6 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16239732 total, 11245968 free, 3364356 used, 1629408 buff/cache
KiB Swap: 2095100 total, 2095100 free, 0 used. 12550436 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
8461 seafile 20 0 453260 365464 8948 R 100.0 2.3 0:11.43 clamscan
8462 seafile 20 0 644384 542796 8940 R 100.0 3.3 0:10.57 clamscan
8482 seafile 20 0 614988 508684 4380 R 100.0 3.1 0:08.22 clamscan
8490 seafile 20 0 380928 289444 4380 R 100.0 1.8 0:03.08 clamscan
2913 root 20 0 692920 78160 4048 S 0.7 0.5 0:30.73 python2.7
2914 root 20 0 692920 80384 3984 S 0.7 0.5 0:35.10 python2.7
3140 seafile 20 0 1215176 84076 5368 S 0.7 0.5 0:32.20 python2.7
3142 seafile 20 0 6164492 371756 15468 S 0.7 2.3 0:27.74 java


#2

If you set it up for an existing server it starts scanning all your files with - in your case - 4 simultaneous processes. Afair the number of simultaneous processes can be configured (at the cost of less scanning capacity).

I’ve also tested it myself and my conclusion is virus scanning is not worth the CPU time it costs.


#3

I also experienced high CPU and RAM Load using the clamscan command.
It would be much faster and less expensive if you use clamdscan. The difference between clamscan and clamdscan is that clamscan loads the engine every time for every file. clamdscan loads the engine only once.
Unfortunately Seafile saves every file which has to be scanned under /tmp with 600 permission. So clamdscan isn’t able to read the files since the deamon runs as clamav user. A workaround could be a little script which would be executed instead of the direct clamscan command in seafile.conf. All this script has to do is setting the read permission to clamav and afterwards scanning it. I know, it’s not ideal but much faster then clamscan.

Hopefully, it helped you.


#4

We’ve added documentation about how to run ClamAV as a daemon. You can find it at the end of this doc: https://github.com/haiwen/seafile-docs/blob/master/deploy_pro/virus_scan.md

That should greatly speed up the scanning.